RE: [ActiveDir] Delegate Password Resets
We use a group membership with a VB based HTA from our intranet. Works fine for a single domain model From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Fri 12/22/2006 1:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] Important - This email and any attachments may be confidential. If received in error, please contact us and delete all copies. Before opening or using attachments check them for viruses and defects. Regardless of any loss, damage or consequence, whether caused by the negligence of the sender or not, resulting directly or indirectly from the use of any attached files our liability is limited to resupplying any affected attachments. Any representations or opinions expressed are those of the individual sender, and not necessarily those of the Department of Education. winmail.dat
[ActiveDir] Jason Centenni is Out Of Town
I will be out of the office starting 12/22/2006 and will not return until 01/02/2007. If you have an urgent question concerning Active Directory please contact JHRH or DSC On-call. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Updating cached credentials
We proved it by running GPRESULT and seeing the group listed as one of the groups the user was a member of. The dialup connection option requires that the Nortel VPN client be installed in what Nortel calls service mode. Our network folk don't allow that (long story). It isn't an SSL VPN, it is ipsec. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, December 21, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials how'd you prove that the user creds were resynched and that the group memberships were appropriate? Saying that, I'm sure that a gina would have solved that issue if you logon via the dial up connection. Have you already tried that method? (that's where you create the vpn as connection you can choose and prior to logon use the dial up connection check box for the logon. That implies that you have the alternate GINA installed from Nortel. For your method you specified here, does that work with the ssl vpn? That would greatly interest me if it did. Al On 12/21/06, Ken Cornetet [EMAIL PROTECTED] wrote: I have found a solution to the problem of updating group information in cached credentials. Here's how a user would do it (assumes user has admin rights, sorry) Log on with a LOCAL user id. Establish a VPN connection. Use ALT+CTRL+DEL to lock the workstation. Unlock the workstation using your DOMAIN user ID, not the local user ID (This will cause the local user id to be logged off). Log in with your domain user ID. Run GPUDATE /FORCE From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials My suggestion on that is to check with Nortel without mentioning the psynch control and see what they recommend. SSL vpns are by nature a user-mode application but I'm not familiar with how Nortel recommends to use it. As for the gpresult, I'm sorry to say I do not know where it gets it's information. Might be worth filing a DCR for it to get the information from the same place that the group policy engine does, though. Al On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: The three finger salute did NOT result in the GPO being applied. The only thing that made the GPO get applied was the Psynch ActiveX control. We have a recent version of the Nortel VPN client (May 2006). I do not know if it is the latest. Most, if not all security fixes applied to XP clients. On your last question, I believe you are referring to what Nortel calls service mode where the VPN client installs itself as a service and the user supplies their VPN credentials (we use SecurID) on the NT logon screen. Our networking people (they own the VPN and client) will not allow it to be used in that manner without testing, and they won't test because they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume will have the same issue). From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials You said the gpresult didn't give you the group membership regardless, right? Just that the gpo was applied properly after the three finger salute. I do know that the three finger salute method, with Nortel's client will cache the user's credentials ( i.e. the user's password) but was not sure if it would for the group membership. That's interesting. Did you check to be sure you have the latest Nortel client and fixes for your XP clients? One other thing: I suppose it's semantics that we're discussing, but have you considered having the user logon using the dial-up connection ( i.e. the Nortel client via the GINA method) instead of having the user logon first, then establish the vpn? What were the results of that method? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT. From: [EMAIL PROTECTED] [mailto: [EMAIL
Re: [ActiveDir] Delegate Password Resets
I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Delegate Password Resets
I would be careful about that: Account Operators ...Members of this group can log on locally to domain controllers in the domain and shut them down... http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f77-9c2e-94a62f8846cf1033.mspx?mfr=true Andrew Fidel Michael Miller [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 12/22/2006 10:38 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
Accounts operators have more permissions that just resetting passwords. Here is the information from MS documentation. Account Operators Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Because this group has significant power in the domain, add users with caution. Source: http://technet2.microsoft.com/WindowsServer/en/library/1631acad-ef34-4f7 7-9c2e-94a62f8846cf1033.mspx?mfr=true Happy holidays -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 7:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
Personally, I see the Account Operators group as going far beyond the principle of least privilege. I simply have not run across a helpdesk that actually requires the privileges on a scale that the built-in Account Operators group provides. Most helpdesk personnel will do the majority of their account related work through joining computers to the domain, reset computer accounts, reset user passwords, and unlock user accounts. On top of that, if you've arranged your OU structure so user accounts and computer accounts are split up in a meaningful manner, then more than likely the helpdesk personnel only need rights to do their limited tasks (that I stated above) in only a few OUs. Account Operator pretty much gives blanket full control to all user and computer accounts in all OUs and that just seems overboard to me. Not to mention (with default settings) members of the Account Operators group have the ability to log on locally to Domain Controllers which I would expect is probably something most helpdesk personnel should not be doing. Anyway, what I'm trying to say is that I much prefer to work at giving people the permissions they need to do their job and nothing more (or as close to nothing as possible). I've found that user error is the most likely type of issue to arise and when you limit the rights of users to only what they need, you end up significantly reducing your own workload by preventing major issues from occurring in the first place. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 7:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Updating cached credentials
Thanks Ken! On 12/22/06, Ken Cornetet [EMAIL PROTECTED] wrote: We proved it by running GPRESULT and seeing the group listed as one of the groups the user was a member of. The dialup connection option requires that the Nortel VPN client be installed in what Nortel calls service mode. Our network folk don't allow that (long story). It isn't an SSL VPN, it is ipsec. -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Thursday, December 21, 2006 3:30 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Updating cached credentials how'd you prove that the user creds were resynched and that the group memberships were appropriate? Saying that, I'm sure that a gina would have solved that issue if you logon via the dial up connection. Have you already tried that method? (that's where you create the vpn as connection you can choose and prior to logon use the dial up connection check box for the logon. That implies that you have the alternate GINA installed from Nortel. For your method you specified here, does that work with the ssl vpn? That would greatly interest me if it did. Al On 12/21/06, Ken Cornetet [EMAIL PROTECTED] wrote: I have found a solution to the problem of updating group information in cached credentials. Here's how a user would do it (assumes user has admin rights, sorry) Log on with a LOCAL user id. Establish a VPN connection. Use ALT+CTRL+DEL to lock the workstation. Unlock the workstation using your DOMAIN user ID, not the local user ID (This will cause the local user id to be logged off). Log in with your domain user ID. Run GPUDATE /FORCE -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Wednesday, November 29, 2006 2:16 PM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Updating cached credentials My suggestion on that is to check with Nortel without mentioning the psynch control and see what they recommend. SSL vpns are by nature a user-mode application but I'm not familiar with how Nortel recommends to use it. As for the gpresult, I'm sorry to say I do not know where it gets it's information. Might be worth filing a DCR for it to get the information from the same place that the group policy engine does, though. Al On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: The three finger salute did NOT result in the GPO being applied. The only thing that made the GPO get applied was the Psynch ActiveX control. We have a recent version of the Nortel VPN client (May 2006). I do not know if it is the latest. Most, if not all security fixes applied to XP clients. On your last question, I believe you are referring to what Nortel calls service mode where the VPN client installs itself as a service and the user supplies their VPN credentials (we use SecurID) on the NT logon screen. Our networking people (they own the VPN and client) will not allow it to be used in that manner without testing, and they won't test because they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume will have the same issue). -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Wednesday, November 29, 2006 12:42 PM *To:* ActiveDir@mail.activedir.org *Subject: *Re: [ActiveDir] Updating cached credentials You said the gpresult didn't give you the group membership regardless, right? Just that the gpo was applied properly after the three finger salute. I do know that the three finger salute method, with Nortel's client will cache the user's credentials ( i.e. the user's password) but was not sure if it would for the group membership. That's interesting. Did you check to be sure you have the latest Nortel client and fixes for your XP clients? One other thing: I suppose it's semantics that we're discussing, but have you considered having the user logon using the dial-up connection ( i.e. the Nortel client via the GINA method) instead of having the user logon first, then establish the vpn? What were the results of that method? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: We had the user reboot, login using cached credentials, start the VPN, then run GPRESULT. -- *From:* [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] *On Behalf Of *Al Mulnick *Sent:* Wednesday, November 29, 2006 11:56 AM *To:* ActiveDir@mail.activedir.org *Subject:* Re: [ActiveDir] Updating cached credentials Curious. After trying those, how did you validate that the user's group membership wasn't affected? On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: Ok, this is really strange... I tried Al Munick's suggestion of having the user change their password via a three-finger
RE: [ActiveDir] Built in Security groups
easy... say something like: you cannot delete built-in groups/accounts ;-) that should silence the guys and gals above! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 2006-12-22 17:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Built in Security groups
I'm a bit confused on what you mean by removing the built-in security groups? Could you elaborate a little bit for me? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, December 22, 2006 8:14 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
RE: [ActiveDir] Built in Security groups
by the way? what is the reason? I hope it is not something like security. If you were able to delete them, it would create more of a mess compared to the added value Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of Almeida Pinto, Jorge de Sent: Fri 2006-12-22 17:29 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Built in Security groups easy... say something like: you cannot delete built-in groups/accounts ;-) that should silence the guys and gals above! ;-) Met vriendelijke groeten / Kind regards, Ing. Jorge de Almeida Pinto Senior Infrastructure Consultant MVP Windows Server - Directory Services LogicaCMG Nederland B.V. (BU RTINC Eindhoven) ( Tel : +31-(0)40-29.57.777 ( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender address From: [EMAIL PROTECTED] on behalf of [EMAIL PROTECTED] Sent: Fri 2006-12-22 17:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you. winmail.dat
RE: [ActiveDir] Strange Lock Out Issue
Is the lockout on the user's workstation, or on the domain? i.e., how can you tell that there is a lockout (what's the symptom)? Lockout is on the domain, we have a web filter that requires authentication and when the account is locked out, the access denied page pops up on the Internet. Does the user have a mail client open (e.g., Outlook or similar)? Yes, Outlook 2003 Is the user logged in from multiple workstations at the same time? She has in the past, but the past few times no. Did the user call the help desk to change passwords, or use a web-based password reset program, while logged in to Windows? NO Are you sure the user is not logged into the domain when this happens? She is in the domain when this happens Is the user connected to a VPN when this happens? NO Answers to these might help track down your problem.. :-) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, December 21, 2006 11:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Lock Out Issue Hi Justin, I have a user, who is not logged in anywhere else, and while surfing the web or access a program is getting locked out of her account for no reason. I have checked the logs on all three domain controllers and nothing is showing a failed logon attempt or bad password. It doesn't even show when the account got locked. Any ideas on how to rectify this? Is the lockout on the user's workstation, or on the domain? i.e., how can you tell that there is a lockout (what's the symptom)? Does the user have a mail client open (e.g., Outlook or similar)? Is the user logged in from multiple workstations at the same time? Did the user call the help desk to change passwords, or use a web-based password reset program, while logged in to Windows? Are you sure the user is not logged into the domain when this happens? Is the user connected to a VPN when this happens? Answers to these might help track down your problem.. :-) -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Sign-up for M-Tech's winter training sessions: P-Synch: January 8--12, 2007 || ID-Synch: January 15--19, 2007 To register, please visit: http://mtechIT.com/education/ The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Tue, 19 Dec 2006, Salandra, Justin A. wrote: That is just the thing, no event IDs exist for the account lockout on any DC even though I have Auditing turned on. This is why it is a strange lockout. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, December 18, 2006 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Lock Out Issue Eventcombmt the DCs for whatever the lockout ID is also works. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Monday, December 18, 2006 2:50 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Strange Lock Out Issue Download the Account Lockout and Management Tools from Microsoft. More specifically, from the downloaded EXE, extract the LockoutStatus.EXE file and use it to query for the user account that is having issues. It will tell you how many bad password attempts have been made, what time/date the lockout occurred, and on what DC. Furthermore, you can directly manage the Domain Controller from the tool and pull up the event viewer to look for the security entry pointing you to the source of the bad credentials. It's always worked like a charm for me when dealing with issues like these. Good luck, ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, December 18, 2006 11:35 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Strange Lock Out Issue I have a user, who is not logged in anywhere else, and while surfing the web or access a program is getting locked out of her account for no reason. I have checked the logs on all three domain controllers and nothing is showing a failed logon attempt or bad password. It doesn't even show when the account got locked. Any ideas on how to rectify this? Justin A. Salandra MCSE Windows 2000 2003 Network and Technology Services Manager
RE: [ActiveDir] Delegate Password Resets
We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
This is probably what I can gonna do. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, December 22, 2006 12:55 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets I gave a 500K seat org helpdesk a copy of ADUC and the same rights as below and it worked like a charm. Not pretty but cheap and functional. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
That gives them way to much permissions on the directory -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 10:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
Ah interesting. For tasks related specifically to technically proficient IT personnel, I prefer to keep it simple (from the standpoint of application layers in between the user and the completed task). I delegate granular rights, give them the adminpak, and tell them what they can and can't do. If they try to do something they can't do, they just get an access denied error anyway. There are no additional layers of software to make things overly complex (and easier to break). For non-IT personnel, that's where having an alternative front-end is nice. In our case, we have an in-house developed web based application that allows our HR department to directly create and disable user accounts as well as do other minor configuration such as mailbox enabling. This addressed a communications gap in which HR and IT would not communicate effectively enough and new and terminated employees would not have accounts created or disabled in a timely manner. Now that HR has the ability to do that themselves, the process has been streamlined and things in general run a lot smoother. This same web based application also acts as our internal corporate directory. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 8:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
That is precisely why that group existed in NT4. Now it is a holdover for the migration periods when you have NT4 and AD deployed. Honestly I wish the group would vanish the instant you clicked native mode. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Friday, December 22, 2006 10:39 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Delegate Password Resets
You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? _ From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
Why would you want to modify the change password rights on your OUs? That doesn't make sense to delegate: unlike password reset, it's the right that only allows you to _change_ the password if you know the old one... So this is typically what the rights the users would need to change the PW on their own account - and by default it's granted to the Everyone well-known-secprin. This is NOT a security issue since if you know a user's password, you _are_ the user. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Freitag, 22. Dezember 2006 06:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
That's a legacy group from NT4 that you shouldn't leverage in an AD environment. In fact, you should remove it from the default security descriptor of your user and group objects to keep your AD clean from unused ACEs. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Michael Miller Sent: Freitag, 22. Dezember 2006 16:39 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets I put the user accounts of the helpdesk personnel in the built in group, Account Operators. This is precisely why I think that group exists. -mjm Salandra, Justin A. wrote: I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Updating cached credentials
We are undergoing the project to have laptops joining our AD domain to be able to centrally manage these machines via AD GPOs. The product we are testing is F5 Firepass SSL VPN GINA client. The glitch we experience is not related to VPN, but computer account authentication to DC outside of our network. Our domain admin told us that DCs should not expose to the Intenet(we understood) which caused the laptops hang up for a few minutes till time out during the computer authentication phase. Any approach can reduce computers DCs contact time out? Surprising, with Vista, we didn't experience the hanging issue. === Weiming Lu Emory College Computing Support (404)727-7917 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, December 22, 2006 11:10 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials Thanks Ken! On 12/22/06, Ken Cornetet [EMAIL PROTECTED] wrote: We proved it by running GPRESULT and seeing the group listed as one of the groups the user was a member of. The dialup connection option requires that the Nortel VPN client be installed in what Nortel calls service mode. Our network folk don't allow that (long story). It isn't an SSL VPN, it is ipsec. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Thursday, December 21, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials how'd you prove that the user creds were resynched and that the group memberships were appropriate? Saying that, I'm sure that a gina would have solved that issue if you logon via the dial up connection. Have you already tried that method? (that's where you create the vpn as connection you can choose and prior to logon use the dial up connection check box for the logon. That implies that you have the alternate GINA installed from Nortel. For your method you specified here, does that work with the ssl vpn? That would greatly interest me if it did. Al On 12/21/06, Ken Cornetet [EMAIL PROTECTED] wrote: I have found a solution to the problem of updating group information in cached credentials. Here's how a user would do it (assumes user has admin rights, sorry) Log on with a LOCAL user id. Establish a VPN connection. Use ALT+CTRL+DEL to lock the workstation. Unlock the workstation using your DOMAIN user ID, not the local user ID (This will cause the local user id to be logged off). Log in with your domain user ID. Run GPUDATE /FORCE From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Wednesday, November 29, 2006 2:16 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Updating cached credentials My suggestion on that is to check with Nortel without mentioning the psynch control and see what they recommend. SSL vpns are by nature a user-mode application but I'm not familiar with how Nortel recommends to use it. As for the gpresult, I'm sorry to say I do not know where it gets it's information. Might be worth filing a DCR for it to get the information from the same place that the group policy engine does, though. Al On 11/29/06, Ken Cornetet [EMAIL PROTECTED] wrote: The three finger salute did NOT result in the GPO being applied. The only thing that made the GPO get applied was the Psynch ActiveX control. We have a recent version of the Nortel VPN client (May 2006). I do not know if it is the latest. Most, if not all security fixes applied to XP clients. On your last question, I believe you are referring to what Nortel calls service mode where the VPN client installs itself as a service and the user supplies their VPN credentials (we use SecurID) on the NT logon screen. Our networking people (they own the VPN and client) will not allow it to be used in that manner without testing, and they won't test because they are replacing the Nortel IPSec VPN with an SSL VPN (which I presume will have the same issue). From: [EMAIL PROTECTED]
RE: [ActiveDir] Built in Security groups
Not putting any users in the groups is basically the same effect as removing them from an operational perspective. If you don't have a user in the group, nobody has the rights to change things that only these groups have rights to. That's probably what your mgmt wants to achieve. You'd then populate the groups on a as-needed basis to perform specific tasks. The reason why you don't want to remove them (which you could technically) is pretty easy: these groups are there for a purpose, i.e. they have been granted specific rights in AD to perform special tasks. This includes schema mgmt and administration of the config NC. If you don't like the groups, you'd have to ACL AD to allow another group to perform the tasks - doesn't really make any sense ... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Freitag, 22. Dezember 2006 17:14 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Built in Security groups Does anyone have a reference (preferably from MS) showing that you should not remove the Built in Security groups such as Schema Admins, Enterprise Admins, etc. It has come down from above that we should be removing these groups and while I know better I need some ammunition to back me up. Thanks, Andrew Fidel
RE: [ActiveDir] Delegate Password Resets
I don't - I like leveraging the capabilities of AD and this is something where it can perform quite well. That's not true for other things you can delegate, such as creation of objects, where you might really want to add a business logic. These actions are often combined these days with provisioning tools. But for resetting passwords in a strongly distributed environment, where you may want to delegate PW mgmt to specific branches in your company, I prefer to use the native AD rights and have the change happen on a DC close to the user. Specifically for lockout and user-must-change-pw actions, since these are not handled/replicated the same way as pw-resets. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Freitag, 22. Dezember 2006 18:33 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets You will either delegate or you will proxy. That is about it for the choices. And quite frankly, the proxy is just a delegation to a specific account that does the authentication/authorization of the support folks on its own. To be most honest, I prefer proxy over delegation. It is much easier to track and control and enforce some kind of business logic. I much prefer to stop people up front than try to track later what the heck happened. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Thursday, December 21, 2006 9:25 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]mailto:[EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
Ah good to know. I'll remove that right from the security group I delegated the rights to since it's unnecessary. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Friday, December 22, 2006 9:51 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets Why would you want to modify the change password rights on your OUs? That doesn't make sense to delegate: unlike password reset, it's the right that only allows you to _change_ the password if you know the old one... So this is typically what the rights the users would need to change the PW on their own account - and by default it's granted to the Everyone well-known-secprin. This is NOT a security issue since if you know a user's password, you _are_ the user. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Freitag, 22. Dezember 2006 06:38 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
RE: [ActiveDir] Delegate Password Resets
It's in the book and his book's website - I was feeling lazy the other day and copied it verbatim to make a password reset page rather than look up the line of code I couldn't remember. Worked great. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, December 22, 2006 11:34 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED]
Re: [ActiveDir] Filter out a certain group of users from the GAL
I think, it might due to placement of your specific filter, if you are placing it among OR filters, some other filter might come true and return the users. Instead put your specific filter out of OR and along with AND. So you might want to try it like this.. your current one is : (X) (| (Y) (Z) (W))) so here if your specific condition is say W then it won't help as, users you want to filter, may be included in Y or Z. You may want to convert it to : (X) (W) (| (Y) (Z)) -- Kamlesh ~ You teach best what you most need to learn. ~ On 12/21/06, Victor W. [EMAIL PROTECTED] wrote: Thanks, this got me closer to the correct query. It sure saved me a lot of tries, trying to get the query right using (!attr=val), instead of using (!(attr=val). I however did not get to managed to get it working completely. Even with the (!(attr=val) The query outputs exactly the same. The query below does perhaps look more complex than it in fact is. It is in fact the Default GAL from Exchange as it comes out of the box. I have been trying to filter out a certain group from appearing in this GAL. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Tuesday, December 19, 2006 8:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Filter out a certain group of users from the GAL I didn't look it over completely to see what you are doing but noticed the (!attr=val) and wanted to comment on that specific piece... When making AL filters, Exchange is picky and if you put in a ! you need to do use long form of (!(attr=val)) and not (!attr=val). While AD will not have a problem with the filter, AD isn't interpreting that filter, Exchange is pulling everything from AD and doing the filtering itself. That is why ESM will show you one result and what you really get could be something completely different. I once got a crap answer from a Alliance Exchange PSS that someone made up about the RFC standards etc but that reason was, as I said, crap. It is just something you have to be aware of when working with those filters. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, December 19, 2006 11:03 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Filter out a certain group of users from the GAL I have been trying to filter out a certain group of users from the GAL, these users should not appear in the GAL. I have used the ! sign but it looks simpler than it infact is. This is the Default GAL: ( (mailnickname=*) (| ((objectCategory=person)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) I want to exclude people who are a member of a group called XYZ Users and thought about doing it with: (!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl) The complete query is now: ( (mailnickname=*) (| ((objectCategory=person)(!memberOf=CN=XYZ Users,OU=XYZ,OU=First,DC=nl,DC=test,DC=gbl)(objectClass=user)(! (homeMDB=*))(!(msExchHomeServerName=*)))((objectCategory=person) (objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))( (objectCategory=person)(objectClass=contact))(objectCategory=group) (objectCategory=publicFolder) (objectCategory=msExchDynamicDistributionList) )) The above query outputs exactly the same objects as the first query, the one of the Default GAL. So somehow the group is not being filtered out. Probably just me overlooking something. Cheers, Victor List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Directory Experts Conference 2007
Greetings, list denizens. The next Directory Experts Conference is scheduled for April 22-25 at the Red Rock Resort in Summerlin, NV. DEC is the premier conference focused on Microsoft Identity and Access technologies, including AD, AD/AM, MIIS, ADFS. New this year are sessions on Certificate Lifecycle Manager (CLM) and Rights Management Server (RMS). DEC 2007 will also include pre-conference workshops for Longhorn AD, MIIS (using the latest Raven bits), ADFS, and possibly InfoCard. You can find out more about DEC at www.dec2007.com. DEC is fundamentally a community event, which brings me to the reason I'm posting this to the list: We are still in the midst of organizing the conference, and I would like to solicit your input before we nail everything down. I've set up a wiki for the speakers and organizers (for those of you so uncool as to not know what a wiki is, see http://en.wikipedia.org/wiki/Wiki). The wiki currently includes pages for all of the sessions, as well as each of the workshops. I would _really_ appreciate it if you could take the time to look over the site and add any questions, comments or suggestions you might have by clicking the Add Comment link at the bottom of each page. I'm particularly interested in your thoughts and desires for the workshops and sessions. I know the speakers would appreciate your input regarding their sessions as well. Even if you don't plan on attending DEC this year, your thoughts and questions are still valuable to me and the speakers. The DEC wiki is at http://dec.editme.com, and is available to the public for reading and commenting. Only the speakers can actually change the pages. If you want to get email notifications of changes to the wiki, click the Register link and provide an email address. You'll then get an email once a day listing the URLs of the changed pages. Here are some pages to start with: Backpacks? Messenger bags? Or something else entirel? Make your suggestions for DEC swag at http://dec.editme.com/DEC2007Events. Would you be interested in a half-day CardSpace workshop? See Pamela Dingle's ideas for the workshop at http://dec.editme.com/Dec2007CardspaceWorkshop and make your comments. Any feedback on the sessions? Go to http://dec.editme.com/DEC2007Sessions. Thanks again for your time and input, and I hope to see you at DEC next year! -gil Gil Kirkpatrick DEC Founder Meet us in Las Vegas April 22-25 for the 6th annual Directory Experts Conference http://www.dec2007.com . The information in this email is CONFIDENTIAL and is intended only for the addressee named above. If you have received this communication in error, please notify me immediately and destroy the communication. Access to this email by anyone else is unauthorized. Any wrongful interception of this message is punishable as a federal crime. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company.
Re: [ActiveDir] Delegate Password Resets
This is definitely something I've written a few times. I actually don't have a stand alone ASP.NET page that does this, as I tend to write ASP.NET apps that are a bit more architected and have stuff implemented in different layers to help facilite reuse and testability, so the actual LDAP code would be in a different DLL and the page would be a very thin facade. However, the comple code samples from our book would make a nice foundation for building a page to do this. We also cover the reasons why ADSI SetPassword and ChangePassword can be so tricky to deal with in our book in ch 10 (which is a free download from www.directoryprogramming.net). We also have a pure LDAP approach in our book that successfully avoids most of these problems, but it requires .NET 2.0 (hopefully not a big issue for most people these days). I agree that buying a program to do this seems a little crazy to me, but I'm also a good developer, so a lot of things that seem easy to me might not be easy to other people. Joe K. - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, December 22, 2006 11:34 AM Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
RE: [ActiveDir] Delegate Password Resets
A lot of companies don't have someone with your skill set to write it so they think it's cheaper to buy stuff everytime then to employ a decent dev or two. It adds up overtime but they still don't get it. There's also the companies who have tons of devs and they're all clueless. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Saturday, December 23, 2006 12:02 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Delegate Password Resets This is definitely something I've written a few times. I actually don't have a stand alone ASP.NET page that does this, as I tend to write ASP.NET apps that are a bit more architected and have stuff implemented in different layers to help facilite reuse and testability, so the actual LDAP code would be in a different DLL and the page would be a very thin facade. However, the comple code samples from our book would make a nice foundation for building a page to do this. We also cover the reasons why ADSI SetPassword and ChangePassword can be so tricky to deal with in our book in ch 10 (which is a free download from www.directoryprogramming.net). We also have a pure LDAP approach in our book that successfully avoids most of these problems, but it requires .NET 2.0 (hopefully not a big issue for most people these days). I agree that buying a program to do this seems a little crazy to me, but I'm also a good developer, so a lot of things that seem easy to me might not be easy to other people. Joe K. - Original Message - From: joe To: ActiveDir@mail.activedir.org Sent: Friday, December 22, 2006 11:34 AM Subject: RE: [ActiveDir] Delegate Password Resets Good ol .NET. :) Honestly you can probably throw a pretty simple ASP.NET app together to do this. Doubt there is a reason to buy anything and then when it dorks up you can fix on your own. JoeK probably has this code on a web site somewhere. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Friday, December 22, 2006 11:48 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets We use a product called rDirectory and the Reset Password function has suddenly sporatically stopped working throwing what appear to be .net errors. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of WATSON, BEN Sent: Friday, December 22, 2006 12:38 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegate Password Resets In our case, I simply modified the security permissions on the OU containing our user accounts to provide a granular delegation of rights so the members of this security group can go into ADUC and unlock user accounts or reset/change passwords only. I modified various read/write property rights as well as reset password and change password rights. Besides modifying ACLs, what other methods of delegating password reset functions were you referring to? From: [EMAIL PROTECTED] on behalf of Salandra, Justin A. Sent: Thu 12/21/2006 6:24 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegate Password Resets I wanted to find out from all of you what ways you have delegated password reset functions to your helpdesks. We have a product that does this but it is continually having problems and want to know if there are nay other ways. Justin A. Salandra MCSE Windows 2000 and 2003 Network and Technology Services Manager Catholic Health Care System 646.505.3681 cell 917.455.0110 [EMAIL PROTECTED] List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ma/default.aspx
